Persistent Engagement, Agreed Competition, and Cyberspace ... · Persistent Engagement, Agreed...

SPECIAL EDITION 2019 | 267

MICHAEL P. FISCHERKELLER : RICHARD J. HARKNETT

Persistent Engagement, Agreed Competition, and Cyberspace Interaction Dynamics and EscalationMichael P. Fischerkeller Institute for Defense Analyses Alexandria, Virginia

Richard J. Harknett University of Cincinnati Cincinnati, Ohio

ABSTRACT

Policymakers and academics have raised concerns over escalation should states adopt a more proactive cyberspace posture. The unspoken context for those fears is potential, episodic, offensive cyber operations that threaten to cause, or cause, physical damage. This narrow focus excludes an equally, if not more

important, strategic space—actual, continuous, strategic competition without resort to armed attack, a space which, according to 2018 U.S. strategic guidance, poses a central challenge to national security. U.S. Cyber Command (USCYBERCOM) has described a strategic approach to cyberspace intended to counter and contest adversary gains: per-sistent engagement. This approach is assessed through a re-consideration of Herman Kahn’s On Escalation. It is concluded that competitive interaction in cyberspace short of armed conflict in an agreed competition, as opposed to spiraling escalation, best explains the dynamic from persistent engagement and, consequently, prevailing concerns of es-calation are unwarranted. Agreement to compete robustly short of armed conflict may be the grand strategic consequence of cyberspace.

Keywords—escalation, agreed competition, cyberspace, interaction, persistent engagement, strategy.

I. INTRODUCTIONA significant concern among policymakers and academics discussing cyber operations

is a fear of escalation should states adopt a more proactive posture in cyberspace.[1] Past policy statements and international security scholarship tend to focus narrowly on the escalation dynamics resulting from cyberattacks, or the threat thereof, which might cause physical damage or loss of life. This limited focus on potential and episodic, cyber-enabled

This work was funded by the Institute for Defense Analyses, Alexandria, Virginia.

© 2019 Michael P. Fischerkeller, Richard J. Harknett

268 | THE CYBER DEFENSE REVIEW

PERSISTENT ENGAGEMENT, AGREED COMPETITION, AND CYBERSPACE INTERACTION DYNAMICS AND ESCALATION

crises or war scenarios excludes an equally, if not more important, strategic space—actual and continuous, strategic competition in cyberspace that does not reach the level of armed conflict. In 2018, U.S. strategic guidance in the National Security Strategy of the United States of America (NSS) shifted to emphasize the significance of this competitive space, and US-CYBERCOM prescribed a strategic approach of persistent engagement to contest and counter the ability of adversaries to gain strategic advantage without engaging in armed attack. This article considers this shift in U.S guidance documents and analyzes the potential interaction dynamics in a strategic cyber environment structured by interconnectedness—constant con-tact—persistent engagement. In so doing, the article introduces a distinction between inter-action and escalation dynamics. This article concludes that fears that persistent engagement in cyberspace will result in spiraling or uncontrollable escalation are not warranted because advantage can be gained through competitive interactions, rather than through the pursuit of escalation dominance.

This article is structured as follows. To set the context under which interaction dynamics will be considered, the first section summarizes the view of a competitive environment described in the White House and U.S. Department of Defense (DoD) 2017 and 2018 strategic guidance. This is followed by an overview of the strategic approach of persistent engagement—both its theoretical and conceptual foundations and its operational prescription as provided by USCY-BERCOM. Next is a review of the core security studies literature on escalation dynamics—in general and specific to cyberspace. The current strategic environment is then considered in light of this scholarship, generating a set of propositions regarding the impact of persistent en-gagement on cyberspace interaction dynamics. The stability of these operational dynamics is then discussed, followed by a brief consideration of shifting away from the traditional “ladder” metaphor for understanding cyberspace interaction dynamics.

II. STRATEGIC ENVIRONMENT The 2018 NSS and its complements, the National Defense Strategy (NDS) and the Department

of Defense 2018 Cyber Strategy, stand in marked contrast to their predecessors in their decla-rations that adversaries are executing strategic campaigns short of an armed attack to secure and advance national interests. Indeed, these documents assert that the central challenge to U.S. security and prosperity is the reemergence of a long-term, strategic competition with revi-sionist and rogue regimes and actors that have become skilled at operating below the threshold of armed conflict, challenging the United States, its allies, and partners with deniable, hostile actions that seek to undermine faith and confidence in democratic institutions and the global economic system.[2]

Cyberspace and its derivative cyber operations, in particular, have been identified as offering state and non-state adversaries the ability to wage strategic campaigns against American politi-cal, economic, and security interests without ever physically crossing U.S. borders.[3] This view is presented most comprehensively in the 2018 Command Vision for U.S. Cyber Command, in



which adversaries are described as continuously operating against the United States below the threshold of armed conflict—demonstrating the resolve, technical capability, and persistence to undertake strategic cyberspace campaigns to weaken U.S. democratic institutions and gain economic, diplomatic, and military advantages.[4],[5] What is of critical importance to note from these documents is the assessment that these operations short of armed conflict can have a cumulative impact at the strategic level: these operations can degrade or damage sources of American national power. Analytically, if this assessment is correct, it is not simply the United States that can be affected by such operations, but, in practice, all state actors reliant on cyber-space for the development and projection of national power. It is in response to this challenge that USCYBERCOM has prescribed the strategic approach of persistent engagement.

III. PERSISTENT ENGAGEMENTFrom a security studies perspective, cyberspace may be best understood as a technically

enabled operational domain with distinct features that shape particular behaviors by state actors, businesses, and even individuals. Interconnectedness is the oft-cited, but rarely em-braced in strategic thinking, core structural feature. If one accepts interconnectedness as such, then fundamental international relations concepts for understanding or explaining actor be-haviors come into question, such as sovereignty and territoriality, because the core condition that follows from interconnectedness is constant contact, a term referenced by USCYBERCOM to describe the cyberspace operating environment.[6],[7] This condition, when coupled with the nature and substance of cyberspace—a vulnerable and resilient technological system that is a global warehouse of and gateway to troves of sensitive, strategic information—encourages persistent opportunism to access and leverage those sensitive data while simultaneously re-quiring states to continuously seek to secure those data and data flows from others. The combi-nation of interconnectedness and constant contact with cyberspace’s ever-changing character both in “terrain” and in the capacity for maneuver across that terrain further encourages op-erational persistence and persistent engagement in order to secure and leverage critical data and data flows.[8] When these factors are considered in sum, in operational reality, operational persistence and persistent engagement become a strategic imperative for states seeking to secure and advance their interests in, through, and from cyberspace.

This theoretical and conceptual argument for operational persistence and persistent engage-ment is consistent with nearly a decade of domain and operational observations by USCYBER-COM. For example, in reference to the ever-changing character of cyberspace, the Command Vision notes that cyberspace is where new vulnerabilities and opportunities continually arise as new terrain emerges; no target remains static; no offensive or defensive capability remains indefinitely effective; no advantage is permanent; and well-defended cyber terrain is attainable but continually at risk. And adversary offensive activities are also said to persist because op-portunity costs are low, and accesses, platforms, and payloads can remain useful for extended periods.[9],[10]



To operate effectively in this dynamic environment, USCYBERCOM prescribes that the Unit-ed States increase resiliency, defend forward as close as possible to the origin of adversary activity, and contest cyberspace actors to generate continuous tactical, operational, and stra-tegic advantage.[11] They argue that a strategic approach of persistent engagement—described operationally as the combination of seamless resiliency, forward defending, and contesting—will compel many U.S adversaries to shift resources to defense and reduce attacks. Moreover, persistent engagement is expected to allow for greater freedom of maneuver to impose tactical friction and strategic costs on U.S. adversaries pursuing more dangerous activities before they impair U.S. national power. This effort seeks to render the majority of adversary cyber and cyber-enabled activity inconsequential.

The Command Vision is absent any discussion of potential escalation risks from a strategic approach of persistent engagement.[12] This is a notable omission because the document does include a section on risks and risk mitigation.[13] Given that continuous engagement is intend-ed to create uncertainty and cause friction, two factors often associated with increased risk of escalation, those predisposed to escalation concerns likely view this approach with alarm. Whether or not they should is a key question and the focus of the remainder of this article.

IV. BACKGROUND ON ESCALATION DYNAMICSIt is not contentious to say that modern thinking regarding escalation dynamics was intro-

duced in the seminal work of Herman Kahn, in which he defined escalation as “an increase in the level of conflict in international crisis situations.”[14] Starting with the assumption of some limited conflict or agreed battle, Kahn proposed a framework populated by three mech-anisms (“ways”) in which a would-be escalator could increase, or threaten to increase, his ef-forts: “increasing intensity,” “widening the area,” and “compounding.”[15] Intensity is described as a function of doing more of what one is already doing—using more equipment; using new equipment; attacking new targets, such as logistics; or a more “intensive increase,” such as switching to nuclear weapons or attacks on cities.[16] Widening the area is described as increas-ing the geographical scope of the conflict. Compounding is described as extending the conflict to include allies or clients. Kahn’s escalation ladder was developed with a focus on the delib-erate escalation in potential, episodic conflicts, giving primary attention to the threat or reality of force or coercion as a factor in negotiation.[17] Stated differently, in order to explore potential escalation dynamics from the launching point of a limited conflict, Kahn assumed that pursuit of any of these three ways would be viewed as escalatory. The state that could employ these mechanisms to achieve escalation dominance could gain strategic advantage. This was all ne-cessitated by the need to avoid all-out nuclear war.

Kahn argues that there are two basic classes of strategies that each side can use when engaged in limited conflict or agreed battle. One class makes use of the factors relating to particular levels of escalation in order to gain an advantage. The other uses the risks or threat of escalation or eruption from the agreed battle.[18] The latter, he notes, refers to the class of deterrence strategies.



Given its foundational and enduring value, it is not surprising to find Kahn’s influence in more recent scholarship on escalation dynamics that focuses on nuclear as well as non-nucle-ar-capable states in potential, episodic confrontations that involve or might come to involve the use of military force.[19] Morgan et alia expand Kahn’s focus of deliberate escalation to include other mechanisms: inadvertent as well as accidental escalation. Similar to Kahn’s description, deliberate escalation is understood as being carried out with specific purposes in mind. For example, a party may deliberately escalate a conflict to gain an advantage, to preempt, to avoid defeat, to signal an adversary about its own intentions and motivations, or to penalize an ad-versary for some previous action.[20] Inadvertent escalation is described as when one party deliberately takes actions that it does not believe are escalatory but which are interpreted as escalatory by another party to the conflict.[21] Such misinterpretation may occur because of incomplete information, lack of shared reference frames, or one party’s thresholds or “lines in the sand” of which other parties are not aware. Finally, accidental escalation is described as when some operational action has direct effects that are unintended by those who ordered them—for example, a weapon may go astray to hit the wrong target, the rules of engagement may be unclear, a unit may take unauthorized actions, or a high-level command decision may not be received properly by all relevant units.[22]

Morgan et alia also assign Kahn’s “ways” of escalating to dimensions, where the vertical dimension is associated with “increasing intensity” and a horizontal dimension is associated with “widening the area.” They further equate the combination of horizontal and vertical with Kahn’s “way” of compounding. In addition, they introduce a political dimension to escalation, which is described as when states adopt more extreme or unlimited objectives in crises/con-flicts or, alternatively, pursue measures such as relaxing behavioral constraints that protect civilians.[23] Like Kahn’s work, the study also proposes that the class of deterrence strategies is best suited for managing an enemy’s propensity for deliberate escalation—discouraging an enemy from deliberately escalating a conflict by convincing that enemy that the costs of such actions will outweigh the benefits that may be accrued through escalation.[24] Within that class of strategies, they further argue that the key to managing risks of inadvertent escalation lies in clarifying thresholds—on all sides of a conflict.[25] Finally, they propose that the key to mitigat-ing accidental escalation lies in an effective command and control strategy.[26]

V. CYBERSPACE ESCALATION DYNAMICSHerbert Lin was an early adopter/adapter of the Morgan et alia framework for cyberspace by

referencing it to aid in answering how the initial stages of conflict in cyberspace might evolve or escalate and what might be done to prevent or deter such escalation.[27] Lin also focused on how potential, episodic cyber conflict at any given level might be de-escalated or terminated (and what might be done to facilitate de-escalation or termination) and how cyber conflict might escalate into kinetic conflict (and what might be done to prevent kinetic escalation).[28]



Lin’s approach to responding to these questions is largely grounded in generating new sets of questions about, and challenges associated with, escalation dynamics in cyberspace. In sup-port of his objective in writing the article, these serve as valuable checklists for national secu-rity planners and policymakers to reference in preparing for and managing a cyber-enabled crisis or armed conflict.[29]

Martin Libicki also adopted the Morgan et alia framework to explain escalation risk and dy-namics in cyberspace, albeit with a stronger focus on potential risk.[30] Like Kahn and Morgan et alia, the context for his escalation discussion is potential, episodic conflicts (conflicts that involve or might come to involve military force); once a crisis has blossomed into conflict, he states, crisis management becomes escalation management.[31] Stated differently, he focuses on the escalation risks associated with operational cyber war in which cyberattacks are carried out against targets that are considered legitimate war targets. Different types of targets are ar-gued to carry different risks of escalation. Those outside a local conflict zone will carry one set of risks, civilian targets may carry another, dual-use another, and military and strategic targets yet another. Libicki argues that the relative severity of those risks is a function of the value the adversary places on the targets.[32]

A similar argument is presented by Lawrence Cavaiola et alia in an article on escalation dy-namics in a potential, episodic, cyber-enabled war.[33] This effort blends Libicki’s arguments into a succinct presentation, arguing that escalation could happen along three paths: horizontal, from military to civilian systems; vertical, from tactical to strategic military systems (perhaps affecting those that control nuclear weapons); and vertical, from limited civilian targeting to major civilian consequences.[34] Similar to other studies, the primary focus is on deliberate escalation, but the potential for inadvertent and accidental escalation is also explored by con-sidering the many unique challenges that cyberspace and cyber operations pose, perhaps the most significant being uncertainty associated with attribution and primary (and/or potential secondary or tertiary) operational effects.

In sum, Kahn’s work laid the conceptual foundations for thinking about “ways” in which would-be escalators could pursue escalation dominance and thereby achieve a strategic ad-vantage in a limited conflict. Scholars have begun to theorize what escalation dynamics may look like using similar ways in a cyber conflict. That said, there exists no “escalation ladder” equivalent, nor has there been a rich discussion of whether the “ladder” metaphor is even appropriate. This review also highlights that most of the cyberspace escalation scholarship adopt the same point of origin as Kahn (i.e., the deliberate escalation from a potential, episodic, operational conflict or agreed battle), giving primary attention to the threat or reality of force or coercion as a factor in negotiation. In addition, all also argue that the class of deterrence strategies is best for managing escalation from this starting point. Set against the empirical record of cyber operations over the past 15 years, however, it raises the question of why have we not seen a recurring escalation.[35] Why has this remained a space dominated, instead, by competitive interaction?[36]



VI. CYBERSPACE INTERACTION DYNAMICS AND ESCALATION IN TODAY’S STRATEGIC ENVIRONMENT

The security studies community primarily has focused on escalation dynamics in cyberspace at the exclusion of interaction dynamics. Kahn, however, provides a basis for their consider-ation by mentioning a second class of strategies for managing escalation for agreed battle, a class that has all but been forgotten—making use of the factors relating to particular levels of escalation in order to gain an advantage.[37] This is the class of strategies into which persistent engagement appears to fit. Whereas deterrence strategies are well and commonly understood, this second class deserves further elaboration because it can play an important role in under-standing cyberspace interaction as opposed to escalation dynamics. But first, the concept of agreed battle has to be considered in light of the current strategic environment because it will establish the strategic context for discussing this second class of strategies in the same.

As noted above, agreed battle is a concept rooted in factors relating to particular levels of escalation. It emphasizes that in an escalation situation in which both sides are accepting lim-itations, there is, in effect, an “agreement,” whether or not it is explicit or even well understood. “Thus the term does not have any connotation of a completely shared understanding, an inten-tion of containing indefinitely with the limitation, or even a conscious quid pro quo arrange-ment.”[38] Scholars who emphatically and urgently emphasize the importance of establishing cyberspace behavioral norms will see the construction of norms in this concept.[39] Others have argued, however, that de facto norms have already been established in cyberspace by states pursuing strategic cyber campaigns that generate effects short of armed attack.[40] In fact, the U.S. 2018 NSS, NDS, DoD Cyber Strategy, and Command Vision admit as much by stating that adversaries are continuously operating strategically against the United States short of armed conflict via strategic cyberspace campaigns to gain economic, diplomatic, and military advan-tages. What is important to note in Kahn’s rendering is that the “agreed” part of the battle rests on interactions between adversaries, which, despite being complex and nuanced, can come to be understood and shared between actors.[41] He notes that states can come to recognize “what the ‘agreed battle’ is and is not, what the legitimate and illegitimate moves are, and what are ‘within the rules’ and what are escalatory moves.”[42]

Building upon Kahn’s notion and applying it to current cyberspace campaigns and opera-tions, open-source evidence suggests that U.S. adversaries have, through their behaviors, tacit-ly established an agreed competition in cyberspace, bounded by the operational space inclusive of and above operational restraint (i.e., inactivity) and exclusive of and below operations gen-erating armed-attack equivalent effects.[43] After eight years of observing the persistent opera-tion of adversaries in cyberspace, USCYBERCOM argued that a strategic approach of persistent engagement was best suited for securing and advancing national interests in this agreed com-petition.[44] This, in effect, meets Kahn’s definition of a class of strategy that makes use of the features of the particular agreed interaction space. The United States’ adoption of this strategic approach will introduce new interactions into the agreed competition.



A. Structural Imperatives and Strategic Incentives

The earlier introduction to the theoretical and conceptual foundations supporting persistent engagement argued that the interconnectedness of cyberspace creates a structural condition that generates a strategic imperative for operational persistence and persistent engagement. Presuming that states respond to this imperative, a robust, strategic competition in cyberspace should be expected. However, that same condition and those same features also generate in-centives for states to limit the impact of their cyber operational effects below the threshold of armed attack. Two incentives, in particular, are that deliberate escalation to armed attack equivalence could result in a cyberspace war that would likely be of long duration; expensive; and result in few, if any, enduring strategic gains.[45] In addition, crossing the armed attack threshold opens the door for states to legitimately bring to bear cross-domain, conventional, kinetic weapons based on an argument of self-defense.[46] Regarding the latter, once a conflict has expanded into multiple domains, the pursuit of national interests involves very different risks, costs, and challenges. It would no longer be agreed competition, but conflict, and poten-tially war.

In addition to these strategic incentives, James Lewis has offered a thoughtful and compre-hensive discussion of the political and strategic constraints states also face in deliberately es-calating above the armed attack threshold.[47] He argues that, if you consider how great powers have historically made strategic decisions about entering into conflict, resorting to operations equivalent to an armed attack in cyberspace is highly unlikely. The existential conflicts of the last century—conflicts that required mass mobilization, territorial invasion, and mass destruc-tion (including critical infrastructure) to realize strategic ends—are not present today.[48] States may seek to challenge the existing international order, but these are not existential challenges to any other state, and the constraints of cost and destruction induce caution in the ways and means which those challengers adopt. And so, for example, destructive attacks on critical infra-structure are more likely to appear as too risky for U.S. adversaries, of limited benefit to their goals, and perhaps irrelevant in achieving the desired strategic outcome of undermining U.S. hegemony and building regional dominance without armed conflict with the United States.[49]

This perspective is further supported empirically through an analysis of a decade of cyber disputes among rival states.[50]

One of the main impetuses to examining escalation control in the 1960s was the recognition among theorists and policymakers that fighting all-out nuclear war overshot any advancement of national interest. So the question became how one might advance interests, despite that risk, without using nuclear weapons. It appears that a parallel logic is taking (or has taken) hold in the strategic use of cyber means. That is, if cyber means are to have unique, strategic value, it will come from operations short of armed attack equivalence that cumulatively en-hance one’s own power or degrade and destabilize others’ sources of national power. It could be argued, therefore, that armed attack/war (traditionally involving measures of death and



destruction) with cyber means actually overshoots the strategic utility of cyber operations. That would be “eruption,” in the language of Kahn, beyond the ceiling of agreed competition. And that outcome would be, for rational, strategic cyber actors, a failure of strategy. And so there is a strategic rationale for seeking to gain an advantage in, through, and from cyberspace short of armed attack. Actors might decide to engage in war, but the strategic purpose of the competitive interactions in agreed competition is to avoid having to do so.[51],[52]

If one accepts the above arguments that there are structural incentives and strategic ratio-nales from which agreed competition emerged and because of which it will sustain if and when the United States adopts a strategic approach of persistent engagement, an entirely new strategic space that has heretofore been unexplored for interaction and escalation dynamics is laid bare.

B. Agreed Competition – Competitive Interaction

To reiterate, when discussing agreed battle, Kahn argues one class of strategies use the risks or direct threat of escalation beyond the agreed battle to gain advantage over an adversary. These range from red lines (declared deterrence) to riskier forms of brinkmanship as well as forms of Thomas Schelling’s coercive bargaining.[53] In discussing agreed battle, Kahn also recognizes a second class of strategies through which advantage can be gained by leveraging the unique features particular to a level of escalation (the space between recognized rungs in Kahn’s escalation ladder). It has been argued above that in today’s strategic environment, what defines the “particular level of escalation” associated with agreed competition is the space inclusive of and above operational restraint and exclusive of and below effects equivalent to an armed attack. As such, the latter represents a de facto ceiling for effects in this competition. In efforts to gain advantage in this agreed competition, then, it can be expected that states will do so through competitive interaction below this ceiling.

Kahn describes three mechanisms for seeking strategic advantage through escalation: wid-ening, compounding, and intensifying. If we operationalize how these mechanisms manifest in cyberspace and review open-source data on their occurrence, we are left wondering why we’ve not seen recurring escalation as Kahn would have expected given the prevalence of all three over the past decade. We argue it is a result of the combination of the structural and strategic features discussed above combining to produce a strategic environment in which competitive interaction is actually strategically salient; that is, one can gain an advantage without escalat-ing, so that operations and the strategy guiding them are focused on a very different dynamic.

Employing cyber operations short of armed-attack equivalence, states are able to secure their own and degrade, usurp, or circumvent others’ national power (economic, diplomatic, military, and social cohesion) by targeting specific data, data flows or sectors, industries, and popula-tions that are the sources of that power. Competitive interaction in agreed competition, then, can be understood as campaigns populated by cyber operations seeking, over time and space, to generate cumulative, strategic effects (i.e., to gain advantage) by targeting sources of national



power. We propose that a different set of mechanisms (from Kahn) for achieving advantage is more descriptive of the behaviors in which comprises competitive interaction: increases in scale, scope, and/or intensity.[54] In this agreed competition within cyberspace, increasing scale can be measured as an increase in the number of systems affected, and scope as the number of actors affected or implicated as having caused an effect (we address intensity later in this article). Characterizing cyber operational behavior using these measures leads to an obvious conclusion— the class of strategies best suited for managing competitive interaction dynamics in this agreed competition is that which inhibits adversary efforts to increase the scale, scope, and/or intensity of cyber operations/campaigns. The strategic approach of persistent engage-ment intends to do just that through operations that maneuver seamlessly between defense and offense across the interconnected cyber battlespace to compete more effectively outside of armed conflict.[55]

There is substantial, publicly reported evidence of specific U.S. adversaries engaging in efforts to increase the scale and scope of their activities (as described in this manner) for the last several years, with different states doing so for different reasons to address their strategic interests.[56] China has invested a great deal of effort in targeting a range of industry and commercial enter-prises in pursuit of general scientific, technical, and business information. Examples include exfiltration of data on the F-35 Joint Strike Fighter, the F-22 Raptor fighter jet, and the MV-22 Osprey. This cyber campaign, directed at contractors and agencies residing within and external to U.S. borders (a combination of increasing scale and scope), will reduce costs and accelerate the development of foreign weapon systems; enable reverse engineering and countermeasure development; and undermine U.S. military, technological, and commercial advantage.[57],[58] China has also sought out more specific information through cross-sector industry cyber oper-ations targeting personally identifiable information (PII), possibly with the objective of using these data to facilitate future “insider” cyber operations, assist in the recruitment of human intelligence assets, or identify and monitor persons of interest to the government (e.g., dissi-dents, foreign journalists, and/or others who may pose a threat to the Communist Party’s im-age and legitimacy).[59] Russia, through its campaign of cyber operations—including those used in Russia’s war with Georgia in 2008 and those used to influence the Brexit referendum and the U.S. election in 2016—is pursuing a strategic campaign to undermine Western democracies and weaken the multilateral alliances that Russia sees opposing its future, including the North Atlantic Treaty Organization and the European Union.[60] Finally, it has been concluded with confidence that North Korea, in efforts to mitigate the impact of international economic sanc-tions, has successfully subverted for significant monetary gain the Society for Worldwide Inter-bank Financial Telecommunication system.[61] Those funds likely contributed to North Korea’s ability to continue investing in its nuclear enterprise, allowing it to finally cross the threshold for intercontinental ballistic delivery and thereby undermine U.S. military overmatch.

Table 1 offers a brief summary of a few strategic cyber campaigns over a two-year period characterizing operations/campaigns of increasing scale and scope and ascribes motivations for the same by advanced persistent threat (APT) groups—groups that are assessed as taking direction from a nation-state.[62] The table includes a 2014–2016 summary of a few strategically relevant industries, the number of threat sources, ascribed objectives for the operations, and malware families.[63] Note that the breadth of the reported industry threats and the objectives for the same cut across military, economic, and diplomatic sources of national power.

Industry Attack Source

Objective Malware Families(Top Three)

Aerospace & Defense

24 APT groups

Acquire intellectual property to advance domestically produced capabilities, develop countermeasures to degrade adversary military overmatch, and produce arms for sale on global market.

47% GhOstRAT 21% PcClient 13% ZXShell

Construction & Engineering

25 APT groups

Acquire intellectual property pertaining to technical innovations, expertise, and processes to develop and advance state-owned firms and to better position those firms for bids against and negotiations with foreign firms.

52% LEOUNCIA20% LV (a.k.a. NJRAT)13% GhOstRAT

Financial Services & Insurance

15 APT groups

Gain insight into company operations or information on potentially sensitive customers.

34% WITCHCOVEN 22% XtremeRAT 19% GhOstRAT

Government & International Organizations

9 APT groups

Gain an edge in negotiations and agreements. 49% GhOstRAT30% ERACS14% PHOTO

Health Care & Health Insurance

13 APT groups

Acquire PII to facilitate future “insider” cyber operations, assist in the recruitment of human intelligence assets, or identify and monitor persons of interest to the government.

49% WITCHCOVEN 32% XtremeRAT11% ChinaChopper

Hi- Tech & Information Technology

20 APT groups

Acquire economic and technical information to support the development of domestic companies through the reduction of research and development costs.

29% GhOstRAT26% TAIDOOR 19% POISON IVY

Table 1: Summary of 2014–2016 Cyber Threats to Industry

A second example of the increasing scale and scope is the previously referenced case of Russia’s use of cyberspace (through social media, specifically) to undermine the confidence of adversaries’ populations and leaders in their democratic institutions and alliances, respec-tively.[64] In this campaign, the increasing scale was characterized by micro-targeting at scale within populations.

In all of these cases, at the individual actor level, the strategic advantage is being gained without needing to erupt out of the agreed competition space. The mechanisms of increasing scale and scope in cyberspace are best understood not as ways of leveraging escalation, but as ways of leveraging competitive interactions.



Table 1 offers a brief summary of a few strategic cyber campaigns over a two-year period characterizing operations/campaigns of increasing scale and scope and ascribes motivations for the same by advanced persistent threat (APT) groups—groups that are assessed as taking direction from a nation-state.[62] The table includes a 2014–2016 summary of a few strategically relevant industries, the number of threat sources, ascribed objectives for the operations, and malware families.[63] Note that the breadth of the reported industry threats and the objectives for the same cut across military, economic, and diplomatic sources of national power.

Industry Attack Source

Objective Malware Families(Top Three)

Aerospace & Defense

24 APT groups

Acquire intellectual property to advance domestically produced capabilities, develop countermeasures to degrade adversary military overmatch, and produce arms for sale on global market.

47% GhOstRAT 21% PcClient 13% ZXShell

Construction & Engineering

25 APT groups

Acquire intellectual property pertaining to technical innovations, expertise, and processes to develop and advance state-owned firms and to better position those firms for bids against and negotiations with foreign firms.

52% LEOUNCIA20% LV (a.k.a. NJRAT)13% GhOstRAT

Financial Services & Insurance

15 APT groups

Gain insight into company operations or information on potentially sensitive customers.

34% WITCHCOVEN 22% XtremeRAT 19% GhOstRAT

Government & International Organizations

9 APT groups

Gain an edge in negotiations and agreements. 49% GhOstRAT30% ERACS14% PHOTO

Health Care & Health Insurance

13 APT groups

Acquire PII to facilitate future “insider” cyber operations, assist in the recruitment of human intelligence assets, or identify and monitor persons of interest to the government.

49% WITCHCOVEN 32% XtremeRAT11% ChinaChopper

Hi- Tech & Information Technology

20 APT groups

Acquire economic and technical information to support the development of domestic companies through the reduction of research and development costs.

29% GhOstRAT26% TAIDOOR 19% POISON IVY

Table 1: Summary of 2014–2016 Cyber Threats to Industry

A second example of the increasing scale and scope is the previously referenced case of Russia’s use of cyberspace (through social media, specifically) to undermine the confidence of adversaries’ populations and leaders in their democratic institutions and alliances, respec-tively.[64] In this campaign, the increasing scale was characterized by micro-targeting at scale within populations.

In all of these cases, at the individual actor level, the strategic advantage is being gained without needing to erupt out of the agreed competition space. The mechanisms of increasing scale and scope in cyberspace are best understood not as ways of leveraging escalation, but as ways of leveraging competitive interactions.



C. Cyber-Enabled Conflict – Deliberate Intensification and Escalation

It is from the point of origin of cyber-enabled crises or war that most cyberspace escalation dynamics scholarship has been written. In this context and as related to this article, this point is realized when an actor has deliberately escalated from agreed competition by threatening to or generating cyber operational effects that are equivalent to armed attack. Escalation in cy-berspace, then, is defined as an increase from the level of agreed competition to conflict (which would be inclusive of Kahn’s definition of an increase in the level of conflict in international relations in crisis situations).[65] In this framework, the potential mechanism for erupting out of agreed competition is intensifying. Intensifying within cyberspace is characterized by cam-paigns and/or operations that include increases in frequency (as a function of count over time), duration, damage, hierarchical level, and visibility of effects.[66] Intensifying may also include expanding cyber operations to other operating domains. To help ground the concept of intensi-fying in actual events, a few examples follow.

Intensifying is found in the Russian campaign targeting Estonia in 2007. On the night of April 26, 2007, Estonian Government websites were subject to denial-of-service (DoS) and dis-tributed DoS (DDoS) effects. The perpetrator launched 1,000 assaults that day, increasing that number to 2,000 per hour on the second day. On May 9, the day marking the peak of the as-sault, the perpetrator was injecting an average of four million packets of data per second. The assaults came in waves, were delivered from up to 85,000 systems, and continued for a 23-day period.[67]

Behavior that would be characterized as escalatory (i.e., intensifying to generate armed-at-tack equivalent effects—a breach of the ceiling associated with agreed competition) can be illus-trated through two cases[68] Perhaps the most publicized example occurred in 2010 with the de-ployment of Stuxnet, which caused significant damage to the Natanz Fuel Enrichment Plant.[69] Additionally, in 2014, a report issued by Germany’s Federal Office for Information Security revealed that an unnamed steel mill in Germany had suffered “massive,” though unspecified, damage when its control systems were manipulated and disrupted to such a degree that a blast furnace could not be properly shut down.[70]

In the escalation dynamics scholarship referenced in this article, the strategic recommen-dation for managing deliberate escalation, in cyberspace as well as other domains, is the class of deterrence strategies. But what if such a strategy fails and an adversary deliberately in-tensifies in cyberspace? How can such an action be managed in cyberspace through cyber operations within agreed competition and beyond it? The cases cited above hint that managing such intensification and escalation is possible, since in none of them does one find extended spirals of increasing intensification or escalation. Rather, what occurred was dissipation or a move back into the agreed competition space, respectively, followed by a recommencing of cyber campaigns/operations whose effects were short of armed attack. In what may appear counterintuitive to conventional wisdom, the more competitive interaction that occurs within the



agreed competition space, the more that clarity will emerge on the demarcations of illegitimate or legitimate cyber operations and what is outside or within the “rules” of agreed competition and, thus, may or may not lead to escalation.[71] These cases of intensification imply that the management of dynamics (rather than spiraling) is possible.[72]

D. Cyber-Enabled Conflict – Managing Deliberate Intensification and Escalation

While we have argued there are strong, strategic rationales for not breaching agreed compe-tition, there may be certain circumstances under which actors nonetheless feel compelled to do so. But even when those circumstances may arise, the unique characteristics of cyberspace and cyber operations present opportunities for actors to mitigate the likelihood that such de-liberate intensification will lead to an extended breach of agreed competition and a spiraling escalatory dynamic. Those same characteristics, therefore, may reinforce cautiousness when considering deliberate escalation and limitations if escalation were to occur.

To begin, let us quickly and briefly set aside the notion that escalation dominance within cy-berspace is a viable strategic option at this time. It is not, because dominance is not sustainable in cyberspace, given the fluidly contested and congested nature of the domain. Importantly, there is a distinction, however, between the condition of dominance and the possibility of con-tested superiority that might be sustained for some period of time, leading to some strategic advantage. This position has support from both a theoretical/conceptual perspective and an operational one, with the latter stated in USCYBERCOM’s Command Vision.[73] If cyberspace escalation dominance (or a threat thereof) is not sustainable, what management alternatives remain? The answer lies in the unique characteristics of cyberspace and cyber operations. Note that the discussion that follows applies equally well for managing inadvertent as well as accidental intensification and escalation in cyber-enabled conflict.

To reiterate, intensifying within cyberspace is characterized by campaigns and/or operations that include increases in frequency (as a function of count over time), duration, damage, hier-archical level, and visibility of effects. If an adversary chose to erupt from agreed competition in cyberspace (i.e., generated effects equivalent to armed attack), and the target state chose to respond with equivalent operations in cyberspace, spiraling escalation should not be as-sumed. One way to limit the potential for an undesired escalatory spiral would be to ensure that unintended effects through increasing scale, scope, or intensification (collateral damage) were highly unlikely. Bellovin et alia argue that, contrary to conventional wisdom, such precise targeting and discrimination are possible (indeed, we have already witnessed them) and cyber operations can be designed to reduce proliferation risks.[74]

An alternative (or complementary) targeting strategy would be to select targets whose de-struction, damage, or degradation was visible to only a select audience. In contrast, an al-ternative design strategy could be to allow for temporary degradation or damage and effects whose frequency and duration could be continuously and actively managed. All three of these



operational options could serve to reduce the risk of further deliberate or inadvertent/acciden-tal intensification or escalation.[75] In certain scenarios, covert cyber operations designed to generate well-directed effects that only leadership are able to detect would send a message of resolve, but may also create an environment more conducive to deintensification and non-esca-lation, as leadership might be more inclined toward resolution when considerations of public awareness and any associated protestations need not figure into their deliberations.[76] Libicki discusses this aspect of visibility by offering a distinction between making the adversary look powerless versus making the United States look powerful, where the former focuses on mak-ing a challenger aware (quietly) of its vulnerabilities, and the latter focuses on demonstrating (loudly) U.S. power.[77]

A common, current example of cyber operations that could be designed to allow for tem-porary degradation or damage is cyber operations targeting electrical grids. Such operations could be designed to target industrial control systems—or, specifically, supervisory control and data acquisition systems—and to disrupt power delivery, which would, in essence, hold hostage the functions which those systems support. In such scenarios, states could negotiate demands for system functionality to be restored and permanent system damage to be avoided.[78]

Finally, cyber operations can be designed to be continuously and actively managed, thereby allowing for a constant metering of their effects. This would allow for responsive tuning, for example, of the frequency (count over time) and the duration of effects as a function of adver-sary behavior. Such active command and control of cyber operations could allow for agile man-agement of cyberspace interaction dynamics as uncertainties regarding adversary intentions, objectives, and capabilities become clearer over time.[79]

Conceptually, intensification is a necessary but not sufficient condition for escalation out of agreed competition. The point of the observations above is to note that operations can go be-yond increasing scale and scope and not precipitate spiraling escalation, although it should be acknowledged that in the current immature state of understanding among cyber actors about the consequences of operations, being very careful about not intensifying if one does not want to escalate is prudent. In these early stages of learning about cyber interactions, the possibility of inadvertent or accidental escalation remains more likely than if we had a longer history of cyber interactions upon which to draw.

E. Agreed Competition – Inadvertent and Accidental Intensification and Escalation

Recall that inadvertent escalation was described as when one party deliberately takes ac-tions that it does not believe are escalatory but which are interpreted as escalatory by another party to the conflict. In addition, accidental escalation is when some operational action has direct effects that are unintended. Inadvertent and accidental can be considered as modifiers for both intensification and escalation. Regarding the former, misinterpretation may occur be-cause of incomplete information, lack of shared reference frames, or one party’s thresholds of which other parties are not aware. When considered in the context of agreed competition, cyber operational effects from inadvertent or accidental increases in scale or scope of effects



(e.g., NotPetya) could lead to intensification and then escalation; however, the existing political context would, in large part, determine the degree to which the operations were viewed as con-sequential. In a period of severe crisis between adversaries, for example, inadvertent and/or accidental effects from cyber operations could subsequently lead to deliberate intensification or escalation by the targeted state or states. In the previous section, however, several unique characteristics of cyberspace and cyber operations were highlighted which an affected state could leverage to respond in a measured manner and potentially deintensify or de-escalate the situation. So it is not contradictory to note that, while states will increasingly experiment with strategically salient cyber campaigns and operations, they will likely do so in a risk-informed manner as they have done over the past decade, in part to manage the potential for inadvertent and accidental effects, while the agreed competition in this space remains relatively immature. In essence, one can expect the structural incentives and strategic rationales cited previously to compete short of armed attack to affect choices in an environment of unclear operations and encourage care.[80]

F. Stability of Agreed Competition

Just as it is critical to distinguish interaction from escalation in cyberspace, it holds logically that engagement should not be defined in and of itself as instability. Questions that require significant study beyond this article are: (1) under what conditions could competitive interaction involving increasing scale and scope lead to deliberate intensification and, thus, the destabili-zation of agreed competition short of armed conflict; and (2) under what conditions the use of non-cyber instruments of national power may exacerbate or moderate the intended effects of cyber operations, or vice versa.

When states seek to gain an advantage in, through, and from cyberspace, the dominant dy-namic in agreed competition is competitive interaction. Within the context of long-term agreed competition, however, the incentive for intensification could emerge if there were present an enduring and significant imbalance of persistent engagement between adversaries, leading to a relative shift in power between them or a relative decline of a state across the global distri-bution of power. This article posits that within the strategic contest of agreed competition, such extended or enduring imbalances of competitive outcomes leading to relative power shifts are a necessary condition for instability. Under such a condition, the declining state might see no other option but to break out of the agreed competition and use armed attack–equivalent oper-ations to reverse the situation. Thus, a sustained loss of relative power would undermine the stability of agreed competition short of war. The structural imperative for persistent engagement, therefore, produces dynamics toward an equilibrium of stability since the main objective of this strategic approach is to inhibit increases in scale, scope, and intensity, which can lead to relative power loss. Instability would be a consequence of ineffective or nonexistent, persistent engagement.[81] Operationally, restraint is structurally encouraged only when a particular state gains sustained advantage so as not to create incentives for adversaries to challenge the integ-rity of the agreed competition.



VII. INTERACTION AND ESCALATION METAPHORS FOR CYBERSPACEKahn noted that metaphors can be useful, but have their limitations; he took this perspective

regarding his own metaphor of a ladder. The arguments presented in this article suggest that a ladder is not well suited as a metaphor for building a model of potential cyberspace interaction dynamics and escalation. There are two reasons for this conclusion. First, it has been offered that today’s strategic environment is considered to be a long-term, strategic competition in which states will pursue their national interests short of war. The agreed competition in cy-berspace, in particular, is, similarly, characterized by operations that generate effects short of armed conflict equivalence. In this strategic space, competitive interaction will be the predomi-nant cyberspace dynamic as states seek to gain advantage. This dynamic is more analogous to the grappling one sees in a wrestling match in which competitors are locked in constant contact with one another while they seek to gain the initiative in the pursuit of sustained advantage.

Second, should a state deliberately choose intensification and challenge the integrity of agreed competition, cyberspace dynamics are unlikely to be as straightforward as an ascend-ing ladder. Libicki offers a modification of the ladder metaphor by arguing that escalation in cyberwar—particularly cyber against cyber—is likely to be jerky rather than smooth. What may look like a carefully calibrated ladder could, in practice, end up as a hodgepodge of sticky and bouncy rungs, where sticky rungs are those from which one cannot rise and bouncy rungs are those from which one rises much farther than anticipated.[82] This has some salience, given the lack of states’ experiences in cyber-enabled conflict and the uncertainty that is a consequence of the same. However, awareness of that uncertainty demands a consideration of how best it can be managed. It was argued in the previous sections that cyberspace and cyber operations offer opportunities for the management of intensification and escalation risks associated with those uncertainties. Operations that intensify or escalate but are designed to allow for the metering of effects and/or temporary degradation or damage, for example, take account of the uncertainty the target state may have reading another’s intentions and, therefore, facilitate deintensification or de-escalation.[83] But the notion of rungs still implies a linearity biased toward intensification that we have not witnessed to date in the competitive interaction dy-namics of agreed competition.

Grappling and effects management (through persistent engagement, for example) in agreed competition or beyond it may lead to “movements” up, down, and sideways. This competitive interaction may be best visualized and conceptualized as the Penrose Stairs, represented most famously in M. C. Escher’s 1960 lithograph entitled Ascending and Descending. Experience over time might help clarify whether one is going up, down, or sideways, but cyber interactions may not be straightforward in any of those three directions consistently. As an interactive space populated by many actors with many interests, any single cyber operation will be inter-action-specific. Penrose’s stairs, rather than Kahn’s ladder, is the better visualization of this competitive and dynamic space.



VIII. CONCLUSIONSeveral years ago, U.S. adversaries waded cautiously but strategically into the strategic com-

petitive space between war and peace, perhaps most fulsomely in cyberspace. Adversaries are now pursuing aggressive, strategic campaigns in, through, and from cyberspace to gain a strategic advantage in military, economic, and diplomatic arenas. As evidenced in recent U.S. strategic guidance, the United States has recognized that it must operate persistently in this space as well if it hopes to regain the upper hand over adversaries who have been reaping the benefits of their early, strategic adaptation to cyberspace at the expense of U.S. national inter-ests. Over the past nine years, USCYBERCOM has been both observing adversarial behavior and learning from it, resulting in the identification of a new strategic approach to arresting ad-versary gains and securing and advancing U.S. interests in cyberspace—persistent engagement.

Sustained, robust competition should be expected (and is occurring) in cyberspace in an agreed competition, and competitive interaction is currently, and will continue to be, the domi-nant interaction dynamic. If pursued strategically, persistent engagement could lead not only to reductions in the scale, scope, and intensity of adversary cyber operations/campaigns, but it may also, over time, clarify what can be regarded as being within the rules of an increasingly stabilizing agreed competition.

Ultimately, tacit and formal agreements to compete robustly short of armed conflict may be the grand, strategic consequence of cyberspace. This represents a different form of national security challenge of consequence that will require not just persistent engagement, but per-sistent study as well.



NOTES1. See, for example, Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities. Committee on Armed Services,

U.S. House of Representatives, March 1 2017, https://www.gpo.gov/fdsys/pkg/CHRG-115hhrg24680/pdf/CHRG-115hhrg24680.pdf; Lawrence J. Cavaiola, David C. Gompert, and Martin Libicki (2015) “Cyber House Rules: On War, Retal-iation and Escalation,” Survival (2015), 57:1, 81–104; David C. Gompert and Martin Libicki, “Cyber Warfare and Sino-Ameri-can Crisis Instability,” Survival (2014), 56:4, 7–22; Jason Healy, “Triggering the New Forever War in Cyberspace,” The Cipher Brief (April 1, 2018), https://www.thecipherbrief.com/triggering-new-forever-war-cyberspace.

2. See National Security Strategy of the United States of America (The White House, December 2017), p. 3 and 31, respectively; Summary of The 2018 National Defense Strategy of The United States of America (Department of Defense, 2018), p. 2: Summary of the Department of Defense Cyber Strategy (Department of Defense, 2018), p.1.

3. National Security Strategy, op. cit., p. 12.4. Command Vision for U.S. Cyber Command: Achieve and Maintain Cyberspace Superiority (United States Cyber Command,

2018), p. 3.5. See, Statement of Admiral Michael S. Rogers, Commander United States Cyber Command, Before the Senate Committee on Armed Ser-

vices, (May 9, 2017). https://www.armed-services.senate.gov/imo/media/doc/Rogers_05-09-17.pdf6. See Michael Fischerkeller and Richard Harknett, “Deterrence is Not a Credible Strategy for Cyberspace,” Orbis (Summer

2017), 61:3, pp. 381–393.7. Command Vision, op. cit., p. 4.8. The structure of cyberspace induces both a behavioral orientation—operational persistence—and a prescriptive necessity to

manage that behavior, labeled in US documents as persistent engagement. 9. Command Vision, op. cit., p. 4.10. Michael Fischerkeller, Offense-Defense Theory, Cyberspace, and the Irrelevance of Advantage (Institute for Defense Analyses: Alex-

andria, VA, 2018), p. 15, fn 58. Fischerkeller refers to low barrier to entry as an operational incentive for operational persistence vice a strategic imperative.

11. The Vision describes how they would operate—maneuvering seamlessly between defense and offense across the interconnected battlespace; where they would operate—globally, as close as possible to adversaries and their operations; when they would operate—continuously, shaping the battlespace; and why they operate––to create operational advantage for the United States while denying the same to U.S. adversaries. See, Command Vision, op. cit., p. 5.

12. Herbert S. Lin and Max Smeets in “What Is Absent from the U.S. Cyber Command ‘Vision,’” Lawfare, (May 3, 2018), https://lawfareblog.com/what-absent-us-cyber-command-vision.

13. The two risks highlighted are the impact of continuous engagement on high-demand low-density cyber forces and a diplomatic risk associated with claims that the United States is “militarizing” cyberspace.

14. Herman Kahn (with a new introduction by Thomas C. Schelling), On Escalation: Metaphors and Scenarios (Routledge: London, 2017), p. 3.While developed in response to the nuclear strategic environment, in spite of the important distinctions between it and the cyber strategic environment, the value of the framework is not diminished.

15. Ibid, pp. 4–6.16. Ibid, p.4.17. Ibid, p. 15.18. Ibid, p. 7.19. Forrest E. Morgan, Karl P. Mueller, Evan S. Madeiros, Kevin L. Pollpeter, Roger Cliff, Dangerous Thresholds: Managing Escala-

tion in the 21st Century (Santa Monica, CA: RAND Corporation, 2008).20. Ibid, p. 20.21. Ibid, p. 23.22. Ibid, p. 26.23. Ibid, p. 18.24. Ibid, p. 22.25. Ibid, p. 24.26. Ibid, p. 27.



NOTES27. Herbert S. Lin, “Escalation Dynamics and Conflict Termination in Cyberspace,” Strategic Studies Quarterly (Fall 2012), pp.

46–70.28. Lin also complemented the Morgan et alia framework by including another mechanism of escalation highlighted by Kahn—

catalytic—which occurs when some third party succeeds in provoking two parties to engage in conflict (often referred to as “false flag” operations). Ibid, p. 46.

29. Ibid, p. 56.30. Martin C. Libicki, Crisis and Escalation in Cyberspace (Santa Monica, CA: RAND Corporation, 2012). Of note, he deviates a bit

from Morgan et alia by describing horizontal escalation as the successive entry of the uninvolved into war on one or both sides. This descriptions aligns with Kahn’s description of compound escalation.

31. Ibid, p. 73.32. This point is also made by Michael Fischerkeller, “Incorporating Offensive Cyber Operations into Conventional Deterrence

Strategies,” Survival (January 2017), 59:1, pp. 103–134.33. Lawrence J. Cavaiola et alia, “Cyber House Rules,” op. cit.34. Ibid, p. 84.35. Brandon Valeriano, Benjamin Jensen, Ryan Maness, Cyber Strategy (UK: Oxford University Press, 2018). 36. This article argues that the distinction between interaction and escalation dynamics is critically important and not merely “dis-

tinctions without a difference.” See, Herman Kahn, On Escalation, op. cit., p. xvi.37. Arguably, this class of strategies has been overshadowed in the last 70 years by strategies of deterrence, the class of strategies

that was, and continues to be, the predominant focus of U.S. strategic thought and practice.38. Herman Kahn, On Escalation, op. cit., fn 4, p. 3. Kahn attributes this term to Max Singer.39. For example, Lin, Libicki, Cavaiola et alia and many policymakers repeatedly call for the establishment of such norms in cyber-

space to encourage “responsible” behavior, make appropriate a strategy of deterrence, and facilitate escalation management. Also see, Department of Defense – Defense Science Board Task force on Cyber Deterrence (Department of Defense: 2017).

40. See, James A. Lewis, Rethinking Cyber Security: Strategy, Mass Effects, and States (Center for Strategic and International Studies, January 2018), Michael Fischerkeller and Richard Harknett, “Deterrence is Not a Credible Strategy for Cyberspace”, op. cit.

41. The strategic focus on interactions reduces the importance of attribution of source, since it biases in favor of focusing in on behaviors. While relative anonymity is exploitable in cyberspace, anchoring ones’ strategy on behavior rather than source offers some re-balancing in favor of the defender.

42. Herman Kahn, On Escalation, op. cit., xiii.43. On this topic, also see Michael P. Fischerkeller and Richard J. Harknett, “What is Agreed Competition in Cyberspace?” Law-

fare (19 February 2019), https://www.lawfareblog.com/what-agreed-competition-cyberspace. 44. See, Command Vision, op. cit., p.6., where persistent engagement is described as allowing the United States to compete more

effectively below the level of armed conflict.45. See, Colin S. Gray, Making Strategic Sense of Cyber Power: Why the Sky is Not Falling (Strategic Studies Institute and U.S. Army

War College Press: Carlisle, PA, 2013), pp. 45–48 and Michael Fischerkeller, Offense, Defense, and the Irrelevance of Advantage, op. cit., pp. 15–16.

46. See Summary of the Department of Defense Cyber Strategy, op. cit.47. James A. Lewis, Rethinking Cyber Security, op. cit. See, specifically, Chapter 4, “Cyber Operations and Interstate Conflict,” and

Chapter 5, “Political and Strategic Constraints on Cyber Attack.”48. Ibid, p. 27.49. Ibid, p. 28.50. See Chapter 4 in Brandon Valeriano and Ryan C. Maness, Cyber War Versus Cyber Realities: Cyber Conflict in the International

System (Oxford University Press: New York, NY, 2015).51. It is interesting to ponder why much of security studies literature on cyberwar, cyber conflict, cyber deterrence, cyber crisis,

and escalation has been focused on a narrow band of important, but least likely activity, while the agreed competition space has emerged rather unexamined.



NOTES52. A note of caution for U.S. and western policymakers is warranted. It would be folly to think that U.S. adversaries won’t attempt

to dissuade the adoption of persistent engagement by initially responding in ways that seek to fuel the flames of fear of escalation from agreed competition. With this expectation, it would behoove U.S. policymakers to keep in mind the distinction recently offered between mass effects vice strategic effects. Mass effect cyber operations are intended to be visible and disconcerting but are not of strategic consequence and so their early appearance after the adoption of a more proactive cyberspace strategy should not be unexpected. Their occurrence, therefore, should not dampen policymakers’ resolve or confidence in pursuing persistent engagement in cyberspace. See, James A. Lewis, Rethinking Cyber Security, op. cit.

53. Thomas C. Schelling, The Strategy of Conflict (Harvard University Press: Cambridge, MA, 1960). 54. This mechanism terminology differs from that used in our earlier Lawfare articles on agreed competition in which we merely

repurposed and redefined Kahn’s widening and compounding. We feel that associating these new mechanisms with agreed competition and competitive interaction will limit potential confusion that may emerge from repurposing Kahn’s terms.

55. See, Command Vision, op. cit., p. 6. The Vision also notes that in form and conduct, the competition in cyberspace is one over initiative, i.e., by sustaining initiative over time through operations that can cumulatively affect relative power, strategic advan-tage can be realized.

56. For a chronological list of significant events, see Center for Strategic and International Studies’ Significant Cyber Events List. https://csis-prod.s3.amazonaws.com/s3fs-public/180308_Significant_Cyber_Events_List.pdf?Szs5ZuZShJAIfgcUXRsvB5T8C76P-JR0y.

57. The reference to “within” and “external” is intended to reinforce the notion that, through cyberspace, adversaries are able to secure their own and degrade, usurp, or circumvent others’ sources of national power no matter where those sources are located. See, 2016 Report to Congress of the U.S.-China Economic and Security Review Commission (Government Publishing Office, Washington, D.C.: November 2016), p. 299. https://www.uscc.gov/Annual_Reports/2016-annual-report-congress.

58. Statement for the Record: Worldwide Threat Assessment of the U.S. Intelligence Community, May 11, 2017, p. 2. https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf.

59. China is said to have been the source of 2015 cyber operations targeting the U.S. Office of Personnel Management and the health care firms Anthem, and Premera and Carefirst Blue Cross. See, Krebs on Security: Catching Up on the OPM Breach, https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/, and Mandiant Consulting: M-Trends 2016 (February 2016).

60. Garrett M. Graff, “A Guide to Russia’s High Tech Toolbox for Subverting US Democracy,” Wired, (August 13, 2017). https://www.wired.com/story/a-guide-to-russias-high-tech-tool-box-for-subverting-us-democracy/.

61. Sean Lyngaas, “Symantec Traces Swift Banking Hacks to North Korea,” FCW (May 31, 2016). https://fcw.com/arti-cles/2016/05/31/swift-hack-dprk.aspx.

62. Persistent engagement follows from the structure of cyberspace and thus we should expect actors who seek advantage will turn to this strategic orientation. While this paper focuses on U.S. strategy, the operations ascribed in open-source reporting to China, Russia, and North Korea align with the expectations of persistent engagement and can be understood as variants of this strategic approach.

63. The comprehensiveness of public records of attacks and exploitations is a function of the willingness of targets to report them. Many targets, for various reasons, do not publicly disclose them nor is there a single source detailing the same. That said, general patterns of increasing scale and scope are still evident in analyses of events that have been reported. The trends data presented in this paragraph are based on industry research reports authored by FireEye Corporation and Mandiant, a FireEye company.

64. Garrett M. Graff, “A Guide to Russia’s High Tech Toolbox for Subverting US Democracy,” op. cit.65. This is a modification of Kahn’s definition of escalation to include escalation from agreed competition.66. Hierarchical levels include, for example, regular hosts, Domain Name Service servers, and gateway routers.67. Rebecca Grant, Victory in Cyberspace. (Air Force Association Special Report: Washington D.C., October 2007), pp. 5–7.68. These examples exclude interactions between states already engaged in armed conflict.69. For a comprehensive analysis of “Stuxnet,” see Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First

Digital Weapon (New York, Crown Publishers, 2014). Note that the 2011-2013 DDoS operations against Wall Street ascribed to Iran is evidence of a desire to not engage in an escalatory spiral. The DDoS attacks did not cause physical damage as STUXNET did so they were yet another instance of a cyber interaction in agreed competition and not a spiral escalatory response.



NOTES70. See Kim Zetter, “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever,” Wired, 1 August 2015.

http://www.wired.com/2015/01/german-steel-mill-hack-destruction/.71. There need not be any necessary symmetry to the “rules” nor does agreed competition require initial concurrence on what is

legitimate or acceptable. There are cyber actions/operations short of war that some states may seek to legitimize/delegitimize, and differing perspectives or initial ambiguity over specific types of operations introduce a potential for intensification short of escalation. “Rules” and conventions, however, will develop over the course of interactions through interactive learning and other forms of signaling, i.e., diplomatic communications. Herman Kahn, On Escalation, op. cit., pp. 260–263.

72. Importantly, intensification could also be managed by levering non-cyber instruments of national power.73. See Herbert S. Lin, “Escalation Dynamics and Conflict Termination in Cyberspace,” op. cit., p. 68, Michael Fischerkeller,

Offense-Defense Theory, Cyberspace, and the Irrelevance of Advantage, op. cit., and Command Vision, op. cit., p. 6, where it is argued that cyber escalation dominance is not sustainable and superiority is always at risk. There are those who, nonetheless, refer to cyberspace escalation dominance as a viable strategy. See, Lawrence J. Cavaiola et alia, “Cyber House Rules,” op. cit., p. 99.

74. Steven M. Bellevin, Susan Landau, and Herbert S. Lin, “Limiting the Undesired Impact of Cyber Weapons: Technical Require-ments and Policy Implications,” Journal of Cybersecurity (March 2017), 3:1, pp. 59–68.

75. See Michael Fischerkeller and Richard Harknett, “Deterrence is Not a Credible Strategy for Cyberspace,” op. cit., pp. 390–393.

76. Such considerations in conflict resolution or bargaining scholarship are often referred to as “two-level games.” See, for example, Robert D. Putnam, “Diplomacy and Domestic Politics: The Logic of Two-Level Games,” International Organization (Summer 1988), 42:3, pp. 427–60.

77. An action could also be selected that serves both objectives simultaneously. See Martin C. Libicki, Brandishing Cyberattack Capa-bilities (Santa Monica, CA: RAND National Defense Research Institute, 2013).

78. Andy Greenberg, “Hackers Gain Direct Access to US Power Grid Controls,” Wired (September 6, 2017); ICF International (US Dept. of Energy Report), Electric Grid Security and Resiliency: Establishing a Baseline for Adversarial Threats (June 2016). Note that this either/or proposition cannot be offered via kinetic solutions.

79. Note that this reference to command and control differs from that discussed by Morgan et alia and Libicki. Whereas the con-cern here is with command and control of a specific cyber operation to actively manage escalation dynamics, their references are to the command and control of forces, writ large, to manage against unauthorized cyber operations. Forrest E. Morgan et alia, Dangerous Thresholds, op. cit., p. 26 and Martin C. Libicki, Crisis and Escalation in Cyberspace, op. cit., pp. 114–119.

80. Libicki discusses the use of narrative, rather than signaling to manage escalatory dynamics. Such an approach would align with our notion of strategic rationales for why escalation dynamics could be muted. Martin C. Libicki, Crisis and Escalation in Cyber-space, op. cit., Chapter 3.

81. Relative power loss can occur outside the agreed competition of cyber operations short of armed attack and also cause states to consider intensification or escalation through cyber means as an option. One might consider the use of code against Iranian centrifuges as such an example.

82. Martin C. Libicki, Crisis and Escalation in Cyberspace, op cit., p. 120.83. While these types of operations share the same strategic objective of the massively destructive operations associated with the

Russia’s strategic concept of escalating to de-escalate, they do not share the same destructive result. See, Joshua Stowell, “The Problem with Russia’s Nuclear Weapons Doctrine,” Global Security (February 13, 2018). https://globalsecurityreview.com/nuclear-de-escalation-russias-deterrence-strategy/.

Persistent Engagement, Agreed Competition, and Cyberspace ... · Persistent Engagement, Agreed...

Documents

Transcript of Persistent Engagement, Agreed Competition, and Cyberspace ... · Persistent Engagement, Agreed...